swann: configure for eduroam on VLAN 100
This commit is contained in:
parent
f93ec18859
commit
a8718864c1
3 changed files with 94 additions and 9 deletions
|
@ -3,7 +3,7 @@
|
||||||
; SPDX-License-Identifier: Apache-2.0
|
; SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
||||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 2 600 450 3600 300
|
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 3 600 450 3600 300
|
||||||
|
|
||||||
$INCLUDE tmpl.ns
|
$INCLUDE tmpl.ns
|
||||||
|
|
||||||
|
@ -260,6 +260,6 @@ $INCLUDE tmpl.ns
|
||||||
250 600 IN PTR 92-118-30-250.ptr.as205479.net.
|
250 600 IN PTR 92-118-30-250.ptr.as205479.net.
|
||||||
251 600 IN PTR 92-118-30-251.ptr.as205479.net.
|
251 600 IN PTR 92-118-30-251.ptr.as205479.net.
|
||||||
252 600 IN PTR 92-118-30-252.ptr.as205479.net.
|
252 600 IN PTR 92-118-30-252.ptr.as205479.net.
|
||||||
253 600 IN PTR 92-118-30-253.ptr.as205479.net.
|
253 600 IN PTR eduroam.mldn-rd.as205479.net.
|
||||||
254 600 IN PTR mldn-rd.as205479.net.
|
254 600 IN PTR mldn-rd.as205479.net.
|
||||||
255 600 IN PTR 92-118-30-255.ptr.as205479.net.
|
255 600 IN PTR 92-118-30-255.ptr.as205479.net.
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
; SPDX-License-Identifier: Apache-2.0
|
; SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
||||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 33 600 450 3600 300
|
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 34 600 450 3600 300
|
||||||
|
|
||||||
; NB: this are also glue records in Google Domains.
|
; NB: this are also glue records in Google Domains.
|
||||||
$INCLUDE tmpl.ns
|
$INCLUDE tmpl.ns
|
||||||
|
@ -100,6 +100,8 @@ tuvok.ee-tuvok.mldn-rd 3600 IN A 92.118.30.3
|
||||||
tuvok.ee-tuvok.mldn-rd 3600 IN AAAA 2a09:a442::2:2
|
tuvok.ee-tuvok.mldn-rd 3600 IN AAAA 2a09:a442::2:2
|
||||||
mldn-rd 3600 IN A 92.118.30.254
|
mldn-rd 3600 IN A 92.118.30.254
|
||||||
mldn-rd 3600 IN AAAA 2a09:a443::1
|
mldn-rd 3600 IN AAAA 2a09:a443::1
|
||||||
|
eduroam.mldn-rd 3600 IN A 92.118.30.253
|
||||||
|
eduroam.mldn-rd 3600 IN AAAA 2a09:a443:2::1
|
||||||
|
|
||||||
; blade internal
|
; blade internal
|
||||||
blade-oa.blade 3600 IN A 10.100.1.200
|
blade-oa.blade 3600 IN A 10.100.1.200
|
||||||
|
|
|
@ -53,6 +53,7 @@ in {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{ address = "127.0.0.1"; prefixLength = 8; }
|
{ address = "127.0.0.1"; prefixLength = 8; }
|
||||||
{ address = "92.118.30.254"; prefixLength = 32; }
|
{ address = "92.118.30.254"; prefixLength = 32; }
|
||||||
|
{ address = "92.118.30.253"; prefixLength = 32; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
en-virginmedia = {
|
en-virginmedia = {
|
||||||
|
@ -79,6 +80,21 @@ in {
|
||||||
{ address = "2a09:a443:1::1"; prefixLength = 48; }
|
{ address = "2a09:a443:1::1"; prefixLength = 48; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
vl-eduroam = {
|
||||||
|
ipv4.addresses = [
|
||||||
|
{ address = "192.168.10.1"; prefixLength = 24; }
|
||||||
|
];
|
||||||
|
ipv6.addresses = [
|
||||||
|
{ address = "2a09:a443:2::1"; prefixLength = 64; }
|
||||||
|
{ address = "2a09:a443:3::1"; prefixLength = 48; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
vlans = {
|
||||||
|
vl-eduroam = {
|
||||||
|
id = 100;
|
||||||
|
interface = "en-general";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dhcpcd.extraConfig = ''
|
dhcpcd.extraConfig = ''
|
||||||
|
@ -181,11 +197,21 @@ in {
|
||||||
# SNAT packets we're sending over tunnels.
|
# SNAT packets we're sending over tunnels.
|
||||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254
|
||||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254
|
||||||
|
|
||||||
|
# eduroam
|
||||||
|
# > mark incoming eduroam packets
|
||||||
|
iptables -w -t nat -A nixos-nat-pre -i vl-eduroam -j MARK --set-mark 2
|
||||||
|
# > NAT packets going over EE/VM.
|
||||||
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-virginmedia -j MASQUERADE
|
||||||
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-ee -j MASQUERADE
|
||||||
|
# > NAT packets going over tunnels.
|
||||||
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.253
|
||||||
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.253
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.dhcpd4 = {
|
services.dhcpd4 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces = ["en-general"];
|
interfaces = ["en-general" "vl-eduroam"];
|
||||||
authoritative = true;
|
authoritative = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||||||
|
@ -199,6 +225,18 @@ in {
|
||||||
|
|
||||||
range 192.168.1.100 192.168.1.200;
|
range 192.168.1.100 192.168.1.200;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
subnet 192.168.10.0 netmask 255.255.255.0 {
|
||||||
|
option subnet-mask 255.255.255.0;
|
||||||
|
option routers 192.168.10.1;
|
||||||
|
option domain-name-servers 192.168.10.1;
|
||||||
|
option domain-name "eduroam.as205479.net";
|
||||||
|
default-lease-time 600;
|
||||||
|
max-lease-time 3600;
|
||||||
|
option interface-mtu 1420; # Wireguard
|
||||||
|
|
||||||
|
range 192.168.10.100 192.168.10.200;
|
||||||
|
}
|
||||||
'';
|
'';
|
||||||
machines = [
|
machines = [
|
||||||
{
|
{
|
||||||
|
@ -294,6 +332,14 @@ in {
|
||||||
53 # DNS
|
53 # DNS
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
interfaces.vl-eduroam = {
|
||||||
|
allowedTCPPorts = [
|
||||||
|
53 # DNS
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
53 # DNS
|
||||||
|
];
|
||||||
|
};
|
||||||
interfaces.wg-tuvok-ee = {
|
interfaces.wg-tuvok-ee = {
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = [
|
||||||
3784 # BFD
|
3784 # BFD
|
||||||
|
@ -305,8 +351,17 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
extraCommands = ''
|
extraCommands = ''
|
||||||
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
ip46tables -F FORWARD
|
||||||
ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
|
||||||
|
ip46tables -N ts-forward || true
|
||||||
|
ip46tables -A FORWARD -j ts-forward
|
||||||
|
|
||||||
|
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||||
|
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||||
|
|
||||||
|
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
|
||||||
|
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-vm -j ACCEPT
|
||||||
|
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -357,13 +412,13 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
.:53 {
|
.:53 {
|
||||||
bind 192.168.1.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1
|
bind 192.168.1.1 192.168.10.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1 2a09:a443:2::1 2a09:a443:3::1
|
||||||
acl {
|
acl {
|
||||||
allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 2a09:a443::/32
|
allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 2a09:a443::/32
|
||||||
block
|
block
|
||||||
}
|
}
|
||||||
hosts /dev/null {
|
hosts /dev/null {
|
||||||
216.239.38.120 stadia.google.com stadia.com
|
#216.239.38.120 stadia.google.com stadia.com
|
||||||
fallthrough
|
fallthrough
|
||||||
}
|
}
|
||||||
loadbalance
|
loadbalance
|
||||||
|
@ -460,6 +515,9 @@ in {
|
||||||
|
|
||||||
# Covering route...
|
# Covering route...
|
||||||
route 2a09:a443::/64 via "en-general";
|
route 2a09:a443::/64 via "en-general";
|
||||||
|
route 2a09:a443:1::/48 via "en-general";
|
||||||
|
route 2a09:a443:2::/64 via "vl-eduroam";
|
||||||
|
route 2a09:a443:3::/48 via "vl-eduroam";
|
||||||
route 2a09:a443::/32 unreachable;
|
route 2a09:a443::/32 unreachable;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -498,11 +556,28 @@ in {
|
||||||
AdvAutonomous off;
|
AdvAutonomous off;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
interface vl-eduroam {
|
||||||
|
AdvSendAdvert on;
|
||||||
|
AdvLinkMTU 1420; # Wireguard
|
||||||
|
AdvManagedFlag on;
|
||||||
|
|
||||||
|
RDNSS 2a09:a443:2::1 {};
|
||||||
|
DNSSL eduroam.as205479.net {};
|
||||||
|
|
||||||
|
prefix 2a09:a443:2::/64 {
|
||||||
|
AdvOnLink on;
|
||||||
|
AdvAutonomous on;
|
||||||
|
};
|
||||||
|
prefix 2a09:a443:3::/48 {
|
||||||
|
AdvOnLink on;
|
||||||
|
AdvAutonomous off;
|
||||||
|
};
|
||||||
|
};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.dhcpd6 = {
|
services.dhcpd6 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces = ["en-general"];
|
interfaces = ["en-general" "vl-eduroam"];
|
||||||
authoritative = true;
|
authoritative = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
subnet6 2a09:a443:1::/48 {
|
subnet6 2a09:a443:1::/48 {
|
||||||
|
@ -513,6 +588,14 @@ in {
|
||||||
option dhcp6.name-servers 2a09:a443:1::1;
|
option dhcp6.name-servers 2a09:a443:1::1;
|
||||||
option dhcp6.domain-search "house.as205479.net";
|
option dhcp6.domain-search "house.as205479.net";
|
||||||
}
|
}
|
||||||
|
subnet6 2a09:a443:3::/48 {
|
||||||
|
range6 2a09:a443:3:1::/64;
|
||||||
|
range6 2a09:a443:3:2::/64 temporary;
|
||||||
|
prefix6 2a09:a443:3:1000:: 2a09:a443:3:ffff:: /56;
|
||||||
|
|
||||||
|
option dhcp6.name-servers 2a09:a443:3::1;
|
||||||
|
option dhcp6.domain-search "eduroam.as205479.net";
|
||||||
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue